PHP :: Sec Bug #64296 :: PHP Realpath Directory Listing

Sec Bug #64296	PHP Realpath Directory Listing
Submitted:	2013-02-25 13:35 UTC	Modified:	2021-05-20 12:18 UTC
From:	security at hoax dot io	Assigned:	cmb (profile)
Status:	Not a bug	Package:	Safe Mode/open_basedir
PHP Version:	Irrelevant	OS:	*NIX & WIN
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	security at hoax dot io
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-02-25 13:35 UTC] security at hoax dot io

Description:
------------
Realdir is quite verbose, thus allowing attackers to check if files and folders 
exist using the following Regex "$regexp = "/File\((.*)\) is not within/";"

This has been tested on:
5.4.11 & Above

For a Full PoC please check the Test Script


Test script:
---------------
http://pastebin.com/4LTrARUj


Expected result:
----------------
The Directory List of /

Actual result:
--------------
The Directory List of /

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-05 18:37 UTC] johannes@php.net

This is not specific to realpath but applies to most/all functions which are affected by open_basedir. I don't think open_basedir should or can provide full secrecy. Doing that is the role of the operating system (file system access rights, chroot, ...). The purpose of open_basedir is, in my opinion, more a safety net than a top security feature.

Leaving this open for others to comment, though.

[2013-03-06 09:33 UTC] security at hoax dot io

Why should open_dir be treated as a safety net?

If a 'end user' can bypass the safety function of open_dir and Safe Mode it should 
be  fixed right,

[2021-05-20 12:18 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2021-05-20 12:18 UTC] cmb@php.net

If an attacker can run arbitrary scripts, all bets are off.  We do
not classify that as security issue[1].  And having detailed info
regarding the file names in the error log, or on screen during
development is a useful feature, not a bug.

[1] <https://wiki.php.net/security#not_a_security_issue>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 27 11:01:30 2024 UTC